China has stepped up its game in protecting personal data with new privacy laws that affect companies both inside and outside its borders. As data becomes more valuable in the growing digital world, it's crucial for businesses active in China to follow these rules. These laws are designed to keep personal information safe and change the way companies handle data.
If your business deals with personal data of people in China, you need to follow these laws closely to avoid heavy fines and disruptions. Understanding what the law says and what it means for your business is essential. Our guide will help you make sense of China's privacy laws so you can adjust how your business handles data and stays compliant.
General Provisions of China's Privacy Laws
Legislative Background
China has enacted several laws and regulations to protect the privacy of its citizens. The Personal Information Protection Law of the People's Republic of China (PIPL) is the most recent and comprehensive law that was passed by the National People's Congress in August 2021 and came into effect on November 1, 2021. The PIPL is similar to the General Data Protection Regulation (GDPR) of the European Union and provides a legal framework for the collection, use, storage, and transfer of personal information in China.
Scope and Application
The PIPL applies to the processing of personal information by all entities within the borders of China, including individuals, organizations, and government agencies. It covers personal information of natural persons, which includes but is not limited to, name, date of birth, ID number, biometric information, and location data. The law also applies to the processing of personal information of individuals outside of China if the purpose of the processing is to provide products or services to individuals within China or to analyze and evaluate the behavior of individuals within China.
Under the PIPL, entities that process personal information must obtain the consent of the data subject and provide clear and concise information about the purpose, method, and scope of the processing. They must also implement appropriate measures to ensure the security of personal information and report any data breaches to the relevant authorities and affected individuals. The law also grants individuals the right to access, correct, and delete their personal information and to withdraw their consent at any time.
Personal Information Handling and Compliance
When it comes to handling personal information in China, there are specific rules and regulations that must be followed. This section will outline some of the key requirements for personal information handlers to ensure compliance with data privacy laws.
Consent and Processing Rules
Under China's Personal Information Protection Law (PIPL), personal information handlers must obtain consent from individuals before collecting, using, or disclosing their personal information. This means that individuals must be informed of the purpose of the collection and use of their personal information, as well as the scope and method of the collection.
Personal information handlers must also follow specific processing rules, such as limiting the collection of personal information to what is necessary for the purpose of processing, and ensuring the accuracy and completeness of the personal information collected.
Data Protection Officers
To ensure compliance with data privacy laws, personal information handlers must appoint a data protection officer (DPO) who is responsible for overseeing the handling of personal information. The DPO must have a good understanding of data privacy laws and regulations, and must ensure that the personal information handlers are complying with these laws.
The DPO is also responsible for responding to requests from individuals regarding their personal information, as well as reporting any breaches of personal information to the relevant authorities.
Data Security and Protection Measures
When it comes to data security and protection measures in China, there are various regulations that businesses and organizations must comply with. These regulations are designed to protect the privacy and security of individuals' personal information while ensuring that businesses can operate effectively in the country.
Data Localization and Transfer
One of the key requirements of China's privacy laws is the data localization requirement. This means that businesses must store and process personal information within China's borders. Critical Information Infrastructure Operators (CIIO) must also comply with this requirement. This measure is designed to ensure that personal data is not transferred outside of China's borders, where it may be subject to different privacy laws or cybersecurity threats.
However, there are some exceptions to this requirement. For example, businesses can transfer data outside of China if they have obtained the necessary approvals from the relevant authorities. Additionally, businesses can transfer data outside of China if they have implemented appropriate security measures to protect the data during the transfer.
Incident Response and Remedial Actions
In the event of a data breach, businesses must take immediate action to contain the breach and notify the relevant authorities. They must also take steps to remediate the breach and prevent similar incidents from occurring in the future.
To ensure compliance with these requirements, businesses must have an incident response plan in place. This plan should outline the steps that the business will take in the event of a breach, including who will be responsible for managing the response, how the breach will be contained, and how affected individuals will be notified.
In addition to having an incident response plan, businesses must also conduct regular cybersecurity assessments to identify potential vulnerabilities and address them before they can be exploited by cybercriminals.
Rights of Individuals and Data Subjects
Under the Personal Information Protection Law (PIPL) in China, individuals and data subjects have certain rights regarding their personal information. These rights include access and correction, as well as protections against automated decision-making and profiling.
Access and Correction
Under the PIPL, individuals have the right to access and correct their personal information held by data controllers. Data controllers must provide individuals with access to their personal information within a reasonable period of time and correct any errors or inaccuracies upon request.
Automated Decision-Making and Profiling
The PIPL also provides protections against automated decision-making and profiling. Data controllers must inform individuals if their personal information will be used for automated decision-making, and individuals have the right to request human intervention. Additionally, data controllers must obtain explicit consent from individuals before using their personal information for profiling purposes.
Regulatory Bodies and Legal Enforcement
China's privacy laws are enforced by various regulatory bodies and government agencies, including the Cyberspace Administration of China (CAC) and the State Administration for Market Regulation (SAMR). These agencies are responsible for ensuring that organizations comply with relevant regulations, obtain consent where required, and ensure data security and ethical practices.
Supervisory Authorities
The CAC is responsible for supervising and regulating China's cyberspace, including data privacy and security. It has the power to investigate and penalize organizations that violate China's data protection laws. The SAMR, on the other hand, is responsible for regulating market activities and enforcing consumer protection laws. It also has the power to investigate and penalize organizations that violate China's data protection laws.
Penalties and Legal Liabilities
Organizations that violate China's data protection laws may face severe penalties and legal liabilities. The penalties may include fines, suspension of business operations, and even revocation of business licenses. In addition, organizations may face legal liabilities, including civil lawsuits and criminal charges.
To comply with China's data protection laws, organizations must adopt appropriate measures to ensure the security of personal data and protect the privacy rights of individuals. This includes obtaining consent from individuals before collecting, using, or disclosing their personal data, implementing appropriate security measures to protect personal data from unauthorized access, and ensuring that personal data is only used for legitimate purposes.
Conclusion
The significance of complying with China's privacy law is clear for businesses operating within the nation's borders. Adapting to these rules isn't just about dodging fines; it reflects a deep respect for personal privacy and a commitment to the ethical handling of data. As the digital economy continues to grow, keeping up with these developments is crucial for maintaining compliance and showcasing your dedication to international data protection standards.
As you navigate these waters, you might also be curious about other regulatory landscapes in China, such as environmental law. To maintain a well-rounded understanding of your compliance obligations, delve into our detailed examination of China’s Environmental Protection Law. Staying informed on these fronts is essential to running a sustainable and responsible business in China's vibrant economic environment.
Frequently Asked Questions
Do Chinese citizens have privacy rights?
Yes, Chinese citizens have privacy rights. The Personal Information Protection Law (PIPL) was adopted on August 20, 2021, which aims to protect the personal information of Chinese citizens. The PIPL imposes strict legal restrictions on the processing, use, and management of personal data.
What is important data under PIPL?
Important data refers to data that, if leaked, may directly affect national security, economic security, social stability, or public health and safety. The PIPL requires that important data be stored in China and that cross-border transfers of important data must be approved by the authorities.
How restricted is Internet in China?
The Internet in China is subject to strict government censorship and control. The Great Firewall of China blocks access to many foreign websites and services, and the government monitors online activity for content deemed to be politically sensitive or harmful to public order.
What is the penalty for public surveillance in China?
The PIPL prohibits public surveillance without consent and imposes severe penalties on violators. Individuals and organizations that engage in illegal surveillance may be fined up to RMB 50 million (approximately USD 7.7 million) or 5% of their annual revenue, whichever is higher.
Does China use GDPR?
No, China does not use GDPR. The PIPL is China's first comprehensive privacy law and is modeled after the European Union's General Data Protection Regulation (GDPR). However, there are some differences between the two laws.
What is the difference between China PIPL and GDPR?
The China PIPL and GDPR have several differences. The PIPL requires important data to be stored in China and imposes restrictions on cross-border transfers of important data. The GDPR does not have such requirements. Additionally, the PIPL imposes higher fines for violations of the law than the GDPR.
Subscribe to receive updates
Subscribe to receive the latest blog posts to your inbox every week.